Okay so here is the deal... We are cutting back from 2 T1's down to 1 T1 because we've let staff go. Our exchange server is still cooking along and all outside locations (10-15 locations) use webmail.

We only have 250ish employees and there is no way we xferng this much data.

For the past two days now, our bandwidth has just been pegged and I cant conclude where its coming from. 1.5 mbits up and down are both being used but I cant tell for what. Just about all clients are running Symantec Antivirus CE and live update is cooking along as it should. I remember, we were blacklisted 4 or 5 times a couple months ago so I turned off the POP server after business hours but doing a SCAN on messages sent during the wee morning/night hours still shows hundreds of messages sent, when noone is here.

While researching why we were blacklisted I remember reading about how spammers have a floating program out there that hops from machine ot machine to send SPAM out that is virtually undetectable.

Any recommendations? That bandwidth used for 4 hours is WAYYYY to high (see picture)

7 Replies

OK, I'm assuming this EXPSTUDIO is running on your Exchange server? It doesn't look like your Exchange server is the issue... 12k in, 62k out seems about right considering the number of OWA users you have.

In my experience your bandwidth eaters are streaming media (music and video). A single streamed radio station will eat up a ton of bandwidth and about 3 will kill a T1. By today's standards, a T1 is VERY small (your home cable has 6mbit down/1up in a lot of cases).

Go to your firewall and see if you can pull up a report that measures bandwidth to IP address and you can track down who's eating you up and see what they're doing. Consider blocking popular ports (you'll need to Google stuff, like BitTorrent, MSN radio, youtube, etc) on the firewall.

Next up on your hit list is content filtering. Untangle, SonicWall, WebSense, Fortigate to name a few. OpenDNS is a good service that will do a lot of content filtering via blocking specific DNS queries, pretty cool stuff and very inexpensive.

tried running SHOW LOG on our cisco router, but I dont really know what I am looking it. it only happened once today but the next time it slows down I am going to CLEAR LOG and then SHOW LOG and run NETSTAT -an 10 textfile.txt that should let me know whats going on a bit more, right?

As for a an analyzer, those cost money and I am in the mortgage industry where we dont believe in spending any money on IT or HR...but we'll finance our executives 5th home and a 3rd refi! :)

Uh... actually any analyzer I've ever used has been free. I've used wireshark since it was ethereal. Wireshark® is available under the GNU General Public License version 2. I just hopped on my mail server for an example and attached a screenshot of what smtp traffic will look like (lol - guess it's still ethereal - I better uninstall). But it shows you everything else hitting the interface as well.

Setting up an mx relay will also protect you from all kinds of problems ranging from security from attacks/compromise/unauthorized relays to business continuity during mail server downtime. There was a discussion on it over at this post...

Mine is running on Windows, but Linux works just as well with the right versions and knowledge.

I'm using it for mostly longer term trending. But it works well for seeing if sombody is maxing out your internet connection too. When you click on the individual graph, you get more detail as far as daily, weekly, monthly, and yearly graphs with averages in text below the graphs. See the attached screen shot.

In addition to bandwidth, you can also use it to graph any SNMP monitorable value. Hard disk space, cpu usage, temp and humidity (from my AVTECH Room Alert environmental monitor), etc. the AVTECH box took a bit of work to get running, but it has been well worth it. I cna keep an easy eye on the temperature and humidity for the sensors in my server room without having to use the provided GUI on the appliance.

It is a pretty easy way to see if one box is spewing onto the network at a glance, as long as you are monitoring it.

It updates every 5 minutes, so it is definitely not realtime. But you can see how your bandwidth use changes over time.

As the screen shot shows, my server "Spanky" has a huge spike each night from 11pm to about 4:30am. My backups take 5 hours and 30ish minutes (all 600GB worth). :-)

0

This discussion has been inactive for over a year.

You may get a better answer to your question by starting a new discussion.